Document

advertisement
THE PERSONAL DATA PROTECTION ACT 2010:
ISSUES & IMPLICATIONS
FIDE Forum – Breakfast Talk
11 April 2013
Adlin Abdul Majid
Content
•
Introduction
•
The 7 Principles
•
Compliance
2
Prevent
abuse of
personal data
Prevent
direct
marketing
Why is data
protection
law
important?
Ensure that
data is kept
securely
Ensure that data
is accurate
3
Joining the global privacy & data protection community
4
Introduction
PERSONAL DATA PROTECTION ACT 2010
•
Applies to any person who:
•
Processes
•
Written
Oral
Has control /over
or authorises processing
of
personal data in respect of commercial transactions
•
Application
Applies if:
•
Person is established in Malaysia & personal data is
processed, whether or not in context of that
establishment, by that person or any other person
employed or engaged by that establishment
•
Person not established in Malaysia, but uses equipment
in Malaysia to process personal data (otherwise than for
purpose of transit in Malaysia)
5
Introduction
PERSONAL DATA PROTECTION ACT 2010
•
NOT applicable •
Federal & State Governments
Personal data processed outside Malaysia, unless intended
/ Oral in Malaysia
to beWritten
further processed
6
Introduction
data subject
Individual who is subject of personal data
data user
•
Person who (alone or jointly or in common with other persons) processes
personal data OR has control over OR authorises processing of personal data
•
Does not include data processor
Written
/ Oral
data
processor
•
Person (other than data user’s employee) who processes personal data solely
on behalf of data user
•
Does not process for own purpose
7
Introduction
personal data
Any information in respect of commercial transactions:
•
•
that relates directly or indirectly to a data subject
who is identified or identifiable from that information or from
that & other information in the possession of a data user
•
includes any sensitive personal data & expression of opinion
about the data subject
May be in any form, so long as a data subject can be
“identified” / “identifiable” (eg. name, NRIC no, phone
no, photograph, e-mail address, fingerprint, DNA)
8
Introduction
sensitive personal data
•
•
Any personal data consisting of information as to:
•
the physical or mental health or condition of a data
subject;
•
his political opinions;
•
his religious beliefs or other beliefs of a similar nature;
•
the commission or alleged commission by him of any
offence; or
•
any other personal data determined by the Minister
Can only be processed under specific circumstances set
out in PDPA (including explicit consent by data subject)
9
Introduction
Disclosure
Alignment,
combination,
correction,
erasure,
destruction
Organisation,
adaptation,
alteration
PROCESSING
Collecting
Storing
Holding
Recording
10
Introduction
commercial transactions
•
Any transaction of a commercial nature, whether contractual
or not
•
Includes matters relating to:
•
•
Supply or exchange of goods or services;
•
Agency;
•
Investments;
•
Financing;
•
Banking; &
•
Insurance
Does not include a credit reporting business
11
Introduction
commercial transactions
The Personal Information Protection &
Electronic Documents Act (PIPEDA)
Ferenczy v MCI Medical Clinics
• Collection of personal data by a private investigator to be used
in legal proceeding is not a commercial transaction
• The transaction itself is not conclusive, but rather the intention
in using the personal data
12
Introduction
commercial transactions
Case
Facts
Commercial Transaction?
PIPEDA Case
Summary #342
Collection of personal data of tenants
by landlords
Yes
PIPEDA Case
Summary #309
Collection of information of a child in a
daycare organisation
Yes
PIPEDA Case
Summary #345
Collection of information by a private
school
No, look at the core activity of the
school’s services
Rodgers v. Calvert,
2004 ON SC (CanLII)
Collection of personal information in a
membership list, which charged
membership fees
No, charging a fee for membership
does not mean it is for a
commercial transaction
PIPEDA Case
Summary #2009-008
Collection of personal information by a
social networking site
Yes, the personal data is used for
the success of the website.
13
Content
•
Introduction
•
The 7 Principles
•
Compliance
14
Principles of data protection
For data to be processed lawfully in Malaysia, data user shall
comply with following principles:
1. General Principle
2. Notice & Choice Principle
3. Disclosure Principle
4. Security Principle
5. Retention Principle
6. Data Integrity Principle
7. Access Principle
15
Principles of data protection
Data Subject
* General Principle
Written
/ Oral
*Access Principle
* Notice &
Choice Principle
Data User
Data Processor/
3rd Party
* Security Principle
* Retention Principle
* Integrity Principle
* Disclosure
Principle
16
Principles of data protection
Data Subject
* General Principle
•
Data user shall not process a personal data about a data
* Notice &
Written
/given
Oral his consent to
*Accesshas
Principle
subject
UNLESS
the
data
subject
Choice Principle
the processing of the personal data
•
Personal data shall not be processed UNLESS:
•
Data
User directly related to activity of data
For lawful
purpose
Data Processor/
user * Security Principle
•
* Retention
Principle
Necessary
for or
directly related to purpose
•
* Integrity Principle
3rd Party
* Disclosure
Adequate but not excessive in relation
to purpose
Principle
17
What do you need consent for?
Non-sensitive
personal data
Sensitive
personal data
(explicit
consent)
Written / Oral
Consent?
Disclosure of
personal data
to third parties
Transfer of
personal data
overseas
18
Exemptions to consent
No
Exemption
Example
(a)
For the performance of a contract to which
the data subject is a party
Employment contracts
(b)
For the taking of steps at the request of the
data subject with a view to entering into a
contract
Before the sale & purchase of a car, the
information requested by the salesman
in order to execute the contract
(c)
For compliance with any legal obligation to
which the data user is the subject, other
than an obligation imposed by a contract
When an organisation is under a duty
pursuant to eg. tax laws, to provide
information of its employees to
authorities
(d)
In order to protect the vital interests of the
data subject
In a situation where a person is
unconscious & needs medical
treatment to save his life
(e)
For the administration of justice
For the enforcement of a court order
(f)
For the exercise of any functions conferred
on any person by or under any law
If an organisation is tasked to perform
a service by a law
19
Sensitive personal data may only be processed if…
Explicit consent given by data subject
Written / Oral
Processing is necessary
Personal data has been made public
20
Principles of data protection
•
Data Subject
Data user shall provide a written notice
to the data subject. To include:
•
* General Principle
That personal data of the data
subject is being processed by or on
behalf of the data user
•/ Oral
Description of the personal data
Written
*Access Principle
* Notice &
Choice Principle
Data User
•
Purpose it is collected & further
processed
•
Class of 3rd parties to whom data
user discloses / may disclose the
Data Processor/
personal data
* Security Principle
* Retention Principle
•
3rd Party
Whether it is obligatory for the data
* Disclosure
subject to provide the personal data
* Integrity Principle
Principle
•
Must be given as soon as practicable
•
In national language & English
21
Channels of serving notice
22
•
Application
forms
•
Terms &
conditions
•
RFQs / RFPs
•
Agreements
•
Letters of
employment
•
Salary slips
•
E-mails
Principles of data protection
Data Subject
Personal data
shall Principle
not without the consent of
* General
the data subject, be disclosed:
•
For any purpose other than the purpose
* Notice
&
disclosed
at the time ofWritten
collection
/ or
Oral
*Access
Principle
Choice Principle
related purpose; or
•
To any party other than 3rd parties of the
class in notice
Data User
Data Processor/
3rd Party
* Security Principle
* Retention Principle
* Integrity Principle
* Disclosure
Principle
23
Disclosure to third parties
Malaysia
Related
companies /
affiliates /
consultants
Personal
data
Notification of disclosure
to 3rd parties
Authorities
Data
processors
(1) Notification of
disclosure to 3rd
parties
(2) Data processors’
compliance with
PDPA
24
Disclosure to third parties
Malaysia
Related
companies /
affiliates /
consultants
Personal
data
Overseas
Notification of disclosure
to 3rd parties
Authorities
Data
processors
(1) Notification of
disclosure to 3rd
parties
(2) Data processors’
compliance with
PDPA
Notification of
transfer out of
Malaysia
25
Principles of data protection
•
A data user to practical steps to protect the personal data from any loss,
misuse, modification, unauthorised or accidental access or disclosure,
Subject
alteration orData
destruction
•
If processing is carried out by a data processor on behalf of the data user,
the data user shall ensure that the data processor:
* General Principle
provides
sufficient guarantees in respect of the technical &
* •Notice
&
Written
/ Oral
*Access Principle
organisational security measures governing the processing
Choice Principle
•
takes reasonable steps to ensure compliance with those measures
Data User
Data Processor/
3rd Party
* Security Principle
* Retention Principle
* Integrity Principle
* Disclosure
Principle
26
What is “adequate”?
Written / Oral
27
Principles of data protection
Data Subject
* General Principle
•
The personal data processed for any purpose shall not be kept longer
than is necessary for the fulfillment of that purpose
* Notice &
Written
/ Oral
*Access Principle
• Principle
No time limit but if it is not required for its initial purpose, it must be
Choice
destroyed
Data User
Data Processor/
3rd Party
* Security Principle
* Retention Principle
* Integrity Principle
* Disclosure
Principle
28
Principles of data protection
Data Subject
General
Principle
A data user* shall
take
reasonable steps to ensure that the personal data
is accurate, complete, not misleading & kept up-to-date by having regard
to the purpose, including any directly related purpose, for which the
personal data was
collected
& further processed
* Notice &
Written
/ Oral
*Access
Principle
Choice Principle
Data User
Data Processor/
3rd Party
* Security Principle
* Retention Principle
* Integrity Principle
* Disclosure
Principle
29
Principles of data protection
Data Subject
* General Principle
* Notice &
Choice Principle
Written
/ Oral
*Access Principle
•
A data subject shall be given access to his personal data held by a data
Data User
user
•
Datadata
Processor/
* Security
Able to correct
thatPrinciple
personal data where the personal
is inaccurate,
* Retention
Principle
3rd Party
incomplete,
misleading
or not up-to-date
•
* Disclosure
EXCEPT where compliance with a request
to such access or correction is
Principle
refused under PDPA
* Integrity Principle
30
Other key provisions
Rights of data subject
•
Right to access personal data
•
Right to correct personal data
•
Right to withdraw consent
•
Right to prevent processing likely to cause damage or
distress
•
Right to prevent processing for purpose of direct marketing
31
Other key provisions
Data user registration
Data user forum
32
Content
•
Introduction
•
The 7 Principles
•
Compliance
33
34
35
Why is compliance important?
Written / Oral
36
Why is compliance important?
Offence
Liability
Contravention of the personal data protection
principles
RM300,000 or imprisonment
of 2 years or both
Failure to register as data user for specified class of
data users
RM500,000 or imprisonment
of 3 years or both
Data users continue to process personal
data
after
Written
/ Oral
the registration is revoked
RM500,000 or imprisonment
of 3 years or both
Processing of sensitive personal data in
contravention with s40
RM200,000 or imprisonment
of 2 years or both
Failure to comply with the Commissioner's
requirements to cease processing of personal data
likely to cause damage or distress
RM200,000 or imprisonment
of 2 years or both
Unlawful collection or disclosure of personal data:
RM500,000 or imprisonment 3 years or to both
RM500,000 or imprisonment
of 3 years or both
Transfer of personal data overseas
RM300,000 or imprisonment
of 2 years or both 37
Compliance
Top-down approach
Written / Oral
Analysis of status quo & existing gaps
Solutions should address gaps by complying
with legal requirements in an effective
manner
38
Compliance
Prevent
• Risk assessment
& regular reassessment
• Policies
• Guidelines
• Training
Detect
• Monitoring
• Compliance
Audit
• Concern /
incident
reporting
Respond
• Internal
Investigations
• Dealings with
authorities
• Employment
related
consequences
39
Compliance
Privacy Written / Oral
Impact
Compliance
Assessment
40
Compliance
Privacy Impact Assessment
LOOK OUT FOR:
Description of personal data
How personal data is collected
Was consent sought? How?
Purpose of processing
How personal data is kept – security?
Procedures to ensure accuracy? Access?
Retention period? Is personal data destroyed?
Disclosure / transfer
41
Compliance
Compliance
Types of Documents
Description
Type A: Policies & Procedures 1. Internal Data Protection Policy
2. External Data Protection Policy
Type B: Agreements
1. Guide to amend agreements
2. Amended agreements
3. Supplementary agreement
Type C: Notices
1. Recruitment
2. Employment
3. Customers
4. Vendors
42
Compliance: Policies
General
Written / Oral
IT &
Security
Access
Retention
43
Compliance: Documents
Compliance
Application
forms
Terms &
conditions
Contracts of
employment
Employee
handbooks
Service
agreements
Notices
44
Remember:
Transitional provision
Where a data user has collected personal data from the data
subject or any third party before the date of coming into
operation of PDPA, he shall comply with the provisions of
PDPA within 3 months from the date of coming into
operation of PDPA
45
Thank you
Adlin Abdul Majid ([email protected])
Lyssa Loh ([email protected])
Download
Related flashcards

Contract law

34 cards

English contract law

13 cards

Create Flashcards